mocha-2.5.3.tgz: 5 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - mocha-2.5.3.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2017-16042	High	9.8	growl-1.9.2.tgz	Transitive	4.0.0	✅
CVE-2016-10540	High	7.5	minimatch-0.3.0.tgz	Transitive	3.0.0-0	✅
WS-2018-0590	High	7.1	diff-1.4.0.tgz	Transitive	5.0.3	✅
CVE-2020-7598	Medium	5.6	minimist-0.0.8.tgz	Transitive	6.2.3	✅
WS-2019-0425	Medium	5.3	mocha-2.5.3.tgz	Direct	6.0.0	✅

Details

CVE-2017-16042

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/growl/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (mocha): 4.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2016-10540

Vulnerable Library - minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/node_modules/minimatch/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • glob-3.2.11.tgz
    • ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (mocha): 3.0.0-0

⛑️ Automatic Remediation is available for this issue

WS-2018-0590

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

⛑️ Automatic Remediation is available for this issue

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/node_modules/minimist/package.json

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (mocha): 6.2.3

⛑️ Automatic Remediation is available for this issue

WS-2019-0425

Vulnerable Library - mocha-2.5.3.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Dependency Hierarchy:

• ❌ mocha-2.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 79859a7465b541051407125fbc97d67425b33dc4

Found in base branch: master

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: v6.0.0

Release Date: 2019-01-24

Fix Resolution: 6.0.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.